BEGIN:VCALENDAR
VERSION:2.0
PRODID:Data::ICal 0.22
BEGIN:VEVENT
DESCRIPTION: '\n\n\n Automated Discovery of Deserialization Gadget Chai
ns\n\n Friday at 16:00 in 101 Track\, Flamingo\n 45 minutes | Tool\n\n
Ian Haken Senior Security Software Engineer\, Netflix\n\n Although vu
lnerabilities stemming from the deserialization of\n untrusted data have
been understood for many years\, unsafe\n deserialization continues to
be a vulnerability class that isn't going\n away. Attention on Java dese
rialization vulnerabilities skyrocketed in\n 2015 when Frohoff and Lawre
nce published an RCE gadget chain in the\n Apache Commons library and as
recently as last year's Black Hat\,\n Muñoz and Miroshis presented a s
urvey of dangerous JSON\n deserialization libraries. While much research
and automated detection\n technology has so far focused on the discover
y of vulnerable entry\n points (i.e. code that deserializes untrusted da
ta)\, finding a "gadget\n chain" to actually make the vulnerability expl
oitable has thus far\n been a largely manual exercise. In this talk\, I
present a new\n technique for the automated discovery of deserialization
gadget chains\n in Java\, allowing defensive teams to quickly identify
the significance\n of a deserialization vulnerability and allowing penet
ration testers to\n quickly develop working exploits. At the conclusion
we will also be\n releasing a FOSS toolkit which utilizes this methodolo
gy and has been\n used to successfully develop many deserialization expl
oits in both\n internal applications and open source projects.\n\n Ian
Haken\n Ian Haken is a senior security software engineer at Netflix whe
re he\n works on the platform security team to develop tools and service
s that\n defend the Netflix platform. Before working at Netflix\, he spe
nt two\n years as security researcher at Coverity where he developed def
ensive\n application security tools and helped to develop automated disc
overy\n of security vulnerabilities through static software analysis. He
\n received his Ph.D. in mathematics from the University of California\,
\n Berkeley in 2014 with a focus in computability theory and algorithmic
\n information theory.\n\n '\n\n
DTEND:20180810T234500Z
DTSTART:20180810T230000Z
LOCATION:DEFCON - Track 101
SUMMARY:Automated Discovery of Deserialization Gadget Chains
END:VEVENT
END:VCALENDAR